MALICIOUS
80
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
The critical heuristic 'OLE_VBA_ACTIVEX_XLM_CELL_STAGER' indicates that VBA ActiveX events are used to run worksheet-decoded XLM formulas. The extracted VBA macro confirms this by using `ExecuteExcel4Macro` on obfuscated strings. This technique is commonly used to download and execute further stages of malware. The macro's obfuscation makes it difficult to determine the exact payload or destination, hence the 'unknown family' classification.
Heuristics 2
-
VBA ActiveX event runs worksheet-decoded XLM formulas critical OLE_VBA_ACTIVEX_XLM_CELL_STAGERVBA code attached to an ActiveX/UserForm event reconstructs formula text from worksheet constants using Split/Replace/Mid or character shifting, then executes it through ExecuteExcel4Macro or Run. This is a high-confidence malware stager that hides XLM formula execution in sheet cells; it is not a document-parser CVE.
-
VBA project inside OOXML medium OOXML_VBADocument contains vbaProject.bin — VBA macros present
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.basb04961a05ea4f10a5e69c42a567fdfaa29363ec6dedce4d85b473095ba26f417 |
vba-macro | oletools.olevba.extract_macros (decoded VBA source from OOXML) | 1141 bytes |
vbaProject_00.bind0c80d154439bd128bce8d27e755ae8c7c53c6947328e71598b4aa4e56df63a0 |
vba-project | OOXML VBA project: xl/vbaProject.bin | 16384 bytes |
emf_00.emf76f287b1e3251b7e0e5ba27bfb05b35831150cc665de00f9fd2d807e2d2a028d |
ooxml-emf | OOXML EMF part: xl/media/image1.emf | 1976 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.